08-28-2023 11:55 PM
Hi, there
I'm using ASA5516 and Firepower 1140 as VPN Gateway with AnyConnect.
I installed CA certificate which is generated by third party RADIUS on both ASA5516 and Firepower 1140.
I also generated and install a client certificate for my computer.
When I'm attempting to connect VPN(ASA5516) by using AnyConnect, there is no problem on the other hand,
When I'm attempting to connect VPN(Firepower 1140) by using AnyConnect, receiving the error "Certificate Validation Failure" on Anyconnect.
The VPN configuration for AnyConnect is the same both of them but The version is different.
ASA5516 Version 9.8(4)
Firepower 1140 Version 9.16(2)7
I also noticed that certificate ca is slightly different (I installed same CA certificate though)
ASA5516 shows 00xxxxxxxxxxxxxxxx (18 digits alphanumeric character)
Firepower 1140 shows xxxxxxxxxxxxxxxx(16 digits alphanumeric character)
x is same alphanumeric character.
Any advices would be appreciated.
08-29-2023 01:39 AM
- Check the logs of the Firepower 1140 when this happens ,
M.
08-29-2023 02:40 AM - edited 08-29-2023 05:47 PM
Hello M,
Thank you for your reply.
When I use "show logging" , there are too many logs that I cannot figure out the logs that I want to check.
Is there any command that I can check the logs easily?
I found the logs.
%ASA-6-725016: Device selects trust-point ASA-self-signed for client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443
%ASA-6-725004: Device requesting certificate from SSL client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for authentication
%ASA-6-725004: Device requesting certificate from SSL client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for authentication
%ASA-7-725017: No certificates received during the handshake with client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for TLSv1.2 session
%ASA-6-725002: Device completed SSL handshake with client outside:xx.xx.xx.xx/2212 to xx.xx.xx.xx/8443 for TLSv1.2 session
It seems Firepower doesn't recognize certificates from my computer even though It has the right one.
08-29-2023 07:20 AM
Did you import the certs to FTD including Root and chain ?
follow below guide :
08-29-2023 05:30 PM
Hello BB,
Thank you for your reply.
I referred to the article down below.
https://tayam-infra.net/how-to-configure-asa-for-certificate-based-authentication/
I'm not really sure whether FTD including Root and chain or not because I don't use FMC.
08-30-2023 06:52 AM
how you managing the FTD ? FDM
you can look at the File see in the notepad++ have chain or not.
08-31-2023 07:27 AM
I looked into the logs and found the error ‘peer certificate key usage is invalid’
What I did was to add ‘ignore-ssl-keyusage’
It’s working now
Thanks for your advice.
09-01-2023 09:48 AM
thats not the best, but if that work for you welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide